Making technology work for you...

Get Your Free Subscription By Email:

3wPlayer Malware Infected Torrent's Spreading On P2P Networks

3wPlayer Media Player

Recently Torrent sites are getting spammed by malicious torrent uploads disguised as new movie releases, torrent users are reporting that they have downloaded various videos mostly claiming to be new movie releases or TV shows only to be confronted with a short video which advises them to download a new media player called 3wPlayer to view the rest of file. The few second clip show the Url to download this malware media player 3wPlayer.

The player installs a form of CIDHELP malware which is very hard to get rid of, The only solution to this problem is to make the user aware of this kind of tactic and reporting any such torrent to the torrent website for removal.


Download & use this 3wplayer and similar video malware Auto-Fixer for windows to decode files (Special Direct Rapidshare Premium Link ~ 590 KB) >>

USAGE: decoder.exe 3wPlayerencodedfilename.avi outputfilename.avi

To decrypt the underlying video data you can the following perl script.

# Turn of output buffer

# The key for XOR decryption

print "Reading from \"$ARGV[0]\":\n";
$insize = -s $ARGV[0];
# Open the bogus AVI file
open(IN, $ARGV[0]) or die $!;
binmode IN;

# Read Header to check
read(IN, $buffer, 4);
if ($buffer ne 'RIFF') {
print " ERROR: \"$ARGV[0]\" is not an AVI\n";
close IN;
# Get Length of the unencrypted movie
read(IN, $buffer, 4);
$offset = unpack 'L', $buffer;
print " End of the unencrypted movie is at byte offset $offset\n";

# Jump to the read offset
seek(IN, $offset, 0);

# The next 4 or 8 Bytes seem to be either an unsinged long
# or an unsigned quad. This is another offset to jump
# over some filler bytes. Right now I can't really tell if
# it's 4 or 8 bytes, because I only have 1 file to test with.
# I assume it's a quad.

# low word
read(IN, $buffer, 4);
$offlo = unpack 'L', $buffer;
# high word
read(IN, $buffer, 4);
$offhi = unpack 'L', $buffer;
# Calculate offset
$offset = $offhi * 4294967296 + $offlo;

print " Offset after the unencrypted movie is $offset\n";
seek(IN, $offset, 0);

# Then there seem to be another 100 filler bytes
# with value 0xff. Jump over those too, to get
# to the offset where the real movie starts.
printf " Adding extra filler bytes, final offset is %s\n", $offset+100;
seek(IN, 100, 1);

# Update the size
$insize -= $offset+100;

# Open a file for writing the decrypted data to
print "Decrypting to \"$ARGV[1]\":\n";
open(OUT, ">$ARGV[1]");
binmode OUT;
truncate OUT, 0;

$bytes = 0;
$klen = length($key);
# Read key length bytes, decrypt them and
# write them to the output file untill you reach
# the end of the file
while ( read(IN, $buffer, $klen) ) {
$buffer ^= $key;
print OUT $buffer;
$bytes += $klen;
# print the status
if ( ( $bytes % 200000 ) == 0 )
printf "\r %d written (% .1f %%)", $bytes, ($bytes / $insize * 100);
# Close both files
close OUT;
close IN;
print "\n\nDONE!\n";


hi i don't know how to make it work for my computer.
I don't know perl
and tell me if this file avi is decoded in perl?
and can hex editor can solve any problem??
if possible answer me at

You need to download and install PERL (and as 3WPlayer only works on Windows) I'll assume you're using MS Windows. Goggle will direct you to and you'll find the downloads.

PERL is a UNIX command line programming language, ActivePerl is the MS Windows verions.

On computers as of:
8/20/2010 at 5:57:51 AM
Last Used:
8/20/2010 at 5:59:51 AM
Startup Item:
This file risk is high.
Threat Details
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
Downloaded from
Downloaded File from:
Source: External Media

File Actions
File: d:\decoder.exe
File Thumbprint - SHA:
Not Available
File Thumbprint - MD5:
Not Available

Under "update" you should discontinue the web link description as an actual link. I thought you were providing a fix. Fortunately Avast! anti-virus shut down the webpage before it opened. It is a direct link to Rapidshare, a known threat. I wonder how many others were confused by finding this link on your page.

That is actually the utility coded by me in perl wrapped as an exe and is perfectly safe, the AV is giving a false positive because it's a perl script (popular hacking language). Here is a VirusTotal scan report with score 3/ 43 which means only three av-engine detect it as a threat out of 43 also among those two are avast products.

Add new comment

This is just one of the many helpful tips we have posted, You can find more stories here,
Do subscribe to updates using your favorite RSS feed reader or using the secure FeedBurner email update form on top of this post.